Hey Hey,
I just came across this today and felt I should share it... PyPy allows the translation of python into other languages... Currently it supports C, .Net, LLVM and a mimimal setup of Javascript (to be worked on during the next Google Summer of Code).
I was able to download and grab pypy 0.9 using svn by running the command:
svn co http://codespeak.net/svn/pypy/release/0.9.x pypy-0.9.x
I used their example... it worked quite well I had a small functional .NET application that executed under mono but didn't work under .NET quite yet (Edit: This was due to user stupidity... I forgot to copy over the associated dll) ...
Check it out @ http://pypy.org/
Peace,
HT
So I'm in cold (well not really) Northern Ontario attending a wedding this weekend and while at a rehearsal party this evening I got to talking shop with a semi-distant relative... He's an old hand in the IT world, having graduated Computer Science at university long before I was born and having worked with Unix and in the programming world... These days he's running his own company... his backend is custom software... This got me thinking about custom applications...
So instead of designing something you go out and you purchase a license.... Let's use something that gets a lot of public use.. Shopping Cart software... I've seen plenty of places that use custom shopping cart software... There are plenty of others that purchase some of the more well known software. A quick Google search brings up plenty of available solutions... However, as you browser smaller "indy" sites, they sometimes tend to design their own very basic systems...
Pros and Cons? In-House shopping carts are developed for a certain purpose.... "commercial" (we'll include OSS for the purpose of this discussion.... essentially all "premade" solutions) shopping carts are more generic.... designed to fit many different needs with little customization. In-House shopping cards may not interact well with Merchant Accounts, Credit Card vendors, or Online Vendors (such as PayPal and WorldPay).. commercial solutions generally do... These are little differences that push many people towards the commercial software.... but what would this be without a security discussion..
So.... Security.... let's break it down to advantages of each..
In-House Shopping Cart
"Commercial" Shopping Cart
- Plenty of users means plenty of opportunity for bugs to be found, which means changes occur more frequently and problems are stopped before malicious people use them.
- You can compare products and pick one with a strong background of reliability and security... It gives you a stronger starting point.
- The developers are generally strong programmers with experience (you'll have to do your research to prove this one)... The better the programmer, generally the better the code which generally translates to "more secure code".
You may have noticed a pattern... If haven't... look again.. I've italicized certain words as I went through that little bit....
The problem is we can only deal in generalities... we can't say for certain... Looking at those lists it is a difficult decision.... "Stronger Developers on a known to be secure product with plenty of opportunities to fix bugs and flaws before they occur" or "Software that can be patched immediately, that you know the ins and outs of and that is very tailored to your application with none of that unneeded advanced technology." Both of those are appealing... but I tend to lean more towards commercial applications... you may have to wait a bit for the fix, but there is generally a mitigation possible as soon as the problem is found (if you're willing to apply it)...
That being said... the more I look at this, the more I see valid reason for developing in-house software.... The ability to tailor it to your needs, wrap it to your environment and know the ins and outs are all very tempting... the problems I see are two-fold..
- Even though people won't easily have access to the source, they don't necessarily need it... XSS and SQL Injection are generally fairly simple to find you don't really need the source... and look away from ASP/PHP solutions... take a look at desktop applications.. how often are flaws found via fuzzing, toying or even just day to day usage and making a simple mistake that reveals a cool flaw. This is really just security through obscurity... something that I'm not a fan of.
- Other people run the "commercial" software... I think this is key... Yeah your site may be pinched via some unknown 0-day but that can happen with custom software as well... A generic XSS/SQL Inject tool... a Protocol fuzzer.... someone who stumbled upon your site and wanted to test the security of it... However lets say you develop "CDO Shopping Cart"... You're 100% of the user base... However, if you take something like x-cart, plenty of people are using it... you may be 0.01% of the user base... The odds are someone else will be attacked instead of you.... Yes the odds also say that it's more likely someone will look for a flaw in that software but personally thats a risk I'd be willing to take....
It's an interesting concept either way.... Sometimes custom applications are definately the answer.... othertimes I think the commercial apps are a better bet... Then you actually get into breaking down "commercial" applications... You have Free/OSS and true Commercial... We could have a whole debate over the patch cycles for these and we'd never have a winner.... We could also compare small companies that charge an arm and a leg for nothing special (CreativeManagerPro comes to mind) compared to say a large company solution (Let's say Microsoft CRM + Sharepoint w/ Exchange and IIS) which generally costs less and provides more support but may not be as out of the box tailored as you like it.... Which do you chose then.... I say Microsoft... their security is improving... you know they're good for a regular patch cycle.... but who's heard of the alternative or what they do...
Security is a tricky business... but I think ultimately you need the proper mix of in-house software and "commercial" software in order to keep an operation going... neither is going to be perfect... both may serve you well... I would lean towards more "commercial" with a spattering of in-house but how does everyone else feel? Is In-House software the spawn of Satan.... or is it God's improvement to your enterprise?
Peace,
HT
This was posted on Slashdot and I found it very interesting:
"Our startup honestly wanted to use OSS products. We do not want to spend time for any OSS bug fixing so our main requirement was -official support for all OSS products-. We thought were prepared to pay the price for OSS products, but then we got a price sticker shock. Now behold: QT is $3300 per seat. We have dropped the development and rewrote everything to C# (MSVS 2005 is ~$700). Embedded Linux from a reputable RT vendor is $25,000 per 5 seats per year. We needed only 3 seats. We had to buy 5 nevertheless. The support was bad. We will go for VxWorks or WinCE in our next product. Red Hat Linux WS is $299. An OEM version of Windows XP Pro is ~$140. A Cygwin commercial license will cost tens of thousands of dollars and is only available for large shops. We need 5 seats. Windows Unix servi"Our startup honestly wanted to use OSS products. We do not want to spend time for any OSS bug fixing so our main requirement was -official support for all OSS products-. We thought were prepared to pay the price for OSS products, but then we got a price sticker shock. Now behold: QT is $3300 per seat. We have dropped the development and rewrote everything to C# (MSVS 2005 is ~$700). Embedded Linux from a reputable RT vendor is $25,000 per 5 seats per year. We needed only 3 seats. We had to buy 5 nevertheless. The support was bad. We will go for VxWorks or WinCE in our next product. Red Hat Linux WS is $299. An OEM version of Windows XP Pro is ~$140. A Cygwin commercial license will cost tens of thousands of dollars and is only available for large shops. We need 5 seats. Windows Unix services are free. After all, we have decided that the survival of our business is more important for us then 'do-good' ideas. Except for that embedded Linux (slated for WinCE or VxWorks substitution), we are not OSS shop anymore."ces are free. After all, we have decided that the survival of our business is more important for us then 'do-good' ideas. Except for that embedded Linux (slated for WinCE or VxWorks substitution), we are not OSS shop anymore."
I think that it's a great question to pose to all the OSS supporters out there... Those that bash the use of Microsoft in the work place... I remember when I looked into Academic licensing for SuSE 9.0.. You also got some other Nortel software bundled with it... it was priced at 75 cents per seat... I was impressed, until I found out that under Academic licensing... Windows is even cheaper...
Even putting cost aside... I look at functionality... The GIMP... it's a great graphics editing program... however, regardless of what people say, it does not compare to the user friendliness or functionality of Adobe Photoshop.... Wheres the OSS alternative to In Design or Illustrator equivalents in OSS... In the world of office productivity... OOo just doesn't compare to Microsoft Office in functionality and ease of use... Writer and Calc are both much more difficult to master for an inexperienced user.... I set my girlfriend up with Ubuntu on an old clamshell iBook... and provided her with OOo... She uses office applications on a day basis... but some of the functionality and abilities just didn't exist... Had her tasks been business oriented rather than personal OOo just wouldn't have done the job...
Even Linux itself.... in some regards it still can't compare to other operating systems.. I've got to mute my input on my soundcard, otherwise I hear my TV Tuner, even when the TV software is closed and I'm not watching TV... I still can't properly play MIDI files under any MIDI-compatible program... When I plug my USB Harddrive in my computer randomly locks up... These are all issues that I've got under Linux, that didn't exist under Windows XP.. Can they all be fixed... most likely.... Will I Fix them.... most likely... Should they exist in the first place when I'm running software as "full featured" as SuSE 10.1.... Nope.
Now don't get me wrong.... Linux has been a part of my computing life for the last 10 years... I use OSS on a daily basis... For personal use I think it's absolutely amazing... for commercial use, I can think of a few packages that are worthwhile.... However I don't think that the big name apps are quite up to par yet... I don't think an office could comfortably go pure OSS and save money and headaches while doing it...
This got me thinking about the Microsoft ads about how the TCO for Linux was more than Windows... at the time I didn't believe it but now I think I'm starting to get it... Money drives people... and OSS doesn't have a lot of room to exist in today's business environments... I wonder what the OSS zealots would say if they were given a finite amount of cash and presented both options for the software in their office environment... Would they spend the extra money... or would the zealots fold.
Peace,
HT
I've got a post coming.. it's just taking a little longer to write than expected... In the mean time I had to share this... Google Labs has launched Google Code Search. There are plenty of search options... You can provide a regex or a string and you can filter based on license, language, filename and package name... It looks like it could prove very useful.
Peace,
HT
So I'm really pumped about this. Between the two domains (CDO and SpamMailBag (I didn't even look at PythonGod or SecurityNe.ws)) we've broken 10,000 unique visits.
ComputerDefense.org - Sept '06 - 9433 Unique Visits
SpamMailBag.com - Sept '06 - 5850 Unique Visits
I never expected the page to have this many readers.... so now my goal is to double this for the end of the year... 
Peace,
HT
I don't even know what to say these days... Operating Systems, Office Suites, Consoles and Browsers.... All you ever hear is "Mine is better than yours".... In fields dominated by nerds and geeks, guys and gals who are generally the antithesis of "getting laid" the world is still dominated by battles regarding penis size... However, instead of the usual "I put in 200 hours of wrech time, added a 50 shot of NOS and added 200HP to this baby" we get "Software that I didn't write, don't pay for and didn't contribute to is cooler than the software you use, so I'm cool".... leave it to the geeks ...This is being driven by an article I read on arstechnica about Microsoft misleading Firefox users when they visit this page... I loaded it up and didn't get the warning they were talking about.... and I was using Firefox at the time... so I thought about this... and we have the following points..
- Microsoft can't fully support Firefox on it's pages for special features like this because Firefox doesn't have the same functionality as IE.
- Firefox doesn't have the functionality because Microsoft makes use of proprietary technologies and even technologies that they make available.... the MSDN is quite cryptic at times.
- Microsoft is a software vendor... logically they are going to have proprietary technologies and software that they don't want to share... this is how they make money. Read more...